--- a/wp/wp-admin/admin-post.php	Wed Sep 21 18:19:35 2022 +0200
+++ b/wp/wp-admin/admin-post.php	Tue Sep 27 16:37:53 2022 +0200
@@ -29,7 +29,12 @@
 /** This action is documented in wp-admin/admin.php */
 do_action( 'admin_init' );
 
-$action = empty( $_REQUEST['action'] ) ? '' : $_REQUEST['action'];
+$action = ! empty( $_REQUEST['action'] ) ? $_REQUEST['action'] : '';
+
+// Reject invalid parameters.
+if ( ! is_scalar( $action ) ) {
+	wp_die( '', 400 );
+}
 
 if ( ! is_user_logged_in() ) {
 	if ( empty( $action ) ) {
@@ -40,6 +45,11 @@
 		 */
 		do_action( 'admin_post_nopriv' );
 	} else {
+		// If no action is registered, return a Bad Request response.
+		if ( ! has_action( "admin_post_nopriv_{$action}" ) ) {
+			wp_die( '', 400 );
+		}
+
 		/**
 		 * Fires on a non-authenticated admin post request for the given action.
 		 *
@@ -59,6 +69,11 @@
 		 */
 		do_action( 'admin_post' );
 	} else {
+		// If no action is registered, return a Bad Request response.
+		if ( ! has_action( "admin_post_{$action}" ) ) {
+			wp_die( '', 400 );
+		}
+
 		/**
 		 * Fires on an authenticated admin post request for the given action.
 		 *
changeset 19	3d72ae0968f4
parent 16	a86126ab1dd4
child 21	48c4eec2b7e6